A new kind of trojan malware is fast gaining currency among cybercriminals for its capability to steal sensitive information, such as credit card data, cryptocurrency wallets, and email credentials.
Dubbed Raccoon Stealer, the malware first emerged in April 2019 and has since infected hundreds of thousands of Windows devices around the world, Boston-based endpoint security solutions provider Cybereason said.
“Its popularity, even with a limited feature set, signals the continuation of a growing trend of the commoditization of malware as they follow a MaaS (Malware-as-a-Service) model and evolve their efforts,” the researchers stated.
Costing $200 per month to use, Raccoon is suspected to be of Russian origin and has been found to be aggressively marketed in underground forums, offering prompt 24×7 customer support to community questions and comments on Telegram under the handle “glad0ff.”
This “gladoff” actor has been linked previously to a variety of malware like the Decrux and Acrux cryptominers, the Mimosa RAT and the ProtonBot loader, Cybereason said.
Often delivered via phishing attacks, bundled malware, and security flaws on a target’s machine, Raccoon has exploited vulnerabilities in software, leveraged email social engineering tricks, and made use of legitimate software downloaded from sketchy websites.
Upon successful installation, the malware communicates with a command-and-control (C2) server to siphon data — including screenshots, credit card information, cryptocurrency wallets, stored browser passwords, emails, and system details — from the victim machine, but only if the device language settings are not set to Russian, Ukrainian, Belarussian, Kazakh, Kyrgyz, Armenian, Tajik, or Uzbek.
In the case of a match, Raccoon immediately aborts — giving the researchers a smoking gun evidence that indicates the threat actors are likely from Russia.
“Raccoon’s popularity, combined with its limited feature set yet high adoption, speaks to a growing trend of the commoditization of malware, as malware authors shoot to create platforms for crime instead of committing the crimes directly,” Cybereason noted.
The attacks are yet another sign that threat actors are actively exploiting software vulnerabilities and phishing techniques to distribute and install malware. It’s therefore very important that systems are patched on a timely basis to stay protected from such attacks.